Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system). The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a clean (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new clean file is opened without incident. They are working with Microsoft on this.

We are still analyzing the trojan dropped by the exploit. What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and pings this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

We have traced nearly this attack to the far east; specifically, China and Taiwan. IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region. The attackers appear to be aware that they have been outed, and have been routinely changing the IP address associated with the URL above.

Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible.

Users should be aware that as of now this vulnerability is only being exploited as a very concentrated and targeted attack. That said, Microsoft is working diligently with anti-virus vendors to update their products in an effort to detect and combat a more widespread use of this exploit. Microsoft also states that they have a patch for this security issue ready and it is currently in testing and scheduled to be released as part of the June security updates on June 13, 2006, or sooner if necessary.